Isn't part of the point of oauth to teach the user they are entering in credentials for another website into that other website?
By rebranding the twitter oauth page it gets to a point where you may as well just ask their user/pass on your own site, and never have them leave your site/app.
I don't look at oauth as real time over the wire security, though it helps in that area. I look at it as user education with the goal to get users to understand not to cross polinate user/pass data to other sites.
It would come down to users understanding to look at the URL, something many just do not understand enough to do.
I do not understand all the details of oauth at this point. What I do know is I've learned when I auth an app I should be looking for a distinct look and feel at a specific URL.
If that look and feel changes, red flags are raised on my part. I'd look to the URL, but wonder if I was not being tricked from TWITTER.COM TO TWlTTER.COM. (those look identical to me, lowercase L looks a lot like an uppercase I.
From my perspective, oauth needs to go after the OS vendors. Integration with their underlying systems and API's is the only way this will gain widespread use that is as secure as it can be for an end user.
Right now, integration is not tight enough for a user to even understand what they are gaining from this procedure. I can find 5 Twitter sites right now that ask for me to store a login and pass into my account, they are not using oauth, and could do what they want with my account. This just proves users are not understanding this.
Heck, twitters own account settings ask for raw login and password data to gmail, yahoo, and I believe aol, last I looked.
-- Scott Iphone says hello. On Oct 12, 2009, at 1:41 PM, Amitab <hiamita...@gmail.com> wrote:
2) Please integrate the OAuth authntication with my branding. At the moment it is just the logo. I would like to have the whole background be of my branding.